Coordinated Vulnerability Disclosure

Carestream Product Security Policy

Carestream Health is committed to providing secure products and services to our customers and patients. We strive to maintain and improve the security of our medical devices and systems throughout the product lifecycle, including the use of the following practices as applicable:

  • Security by design
  • Security risk management
  • Secure coding practices
  • Security scanning and testing practices
  • Vulnerability intake and handling practices
  • Third party software vulnerability monitoring
  • Patch management
  • Information sharing with industry-appropriate organizations such as H-ISAC
  • Event and Incident response practices

Carestream Health recognizes the need to share security-relevant information to better understand threats and protect our customers, patients and the overall healthcare infrastructure. We also are dedicated to ensuring our customers receive information related to vulnerabilities and any appropriate actions that need to be taken to assure the confidentiality, integrity and availability of our products and services. In order to fulfill these commitments, Carestream Health is engaged in efforts to foster global programs for communication, event handling and information sharing.

Coordinated Vulnerability Disclosure

Independent cybersecurity researchers are a valuable source of information on the security posture of many manufactured products. It is Carestream’s goal to cooperate and coordinate with these researchers regarding vulnerabilities they discover within our products. The information below describes the Coordinated Vulnerability Disclosure process by which independent cybersecurity researches may collaborate with us on reporting of medical device vulnerabilities.

Scope

The scope of Carestream’s Coordinated Vulnerability Disclosure process includes the following product families:

  • Diagnostic Imaging Systems
  • Digital Printers
  • MyView Center Kiosk products

We ask that all security researchers submit vulnerability reports only for all Carestream products.

This reporting process is not to be used to report Product Quality Complaints or to request Technical Support. Please visit the following site for those types of engagements: https://www.carestream.com/en/us/services-and-support. Please also visit this site for security questions or comments about other Carestream products.

Important Legal Information

Carestream Health will not engage in legal action against individuals who submit vulnerability reports through our Vulnerability Reporting Form and abide by the agreements outlined as part of this form submission process. We openly accept reports for all Carestream products. We agree not to pursue legal action against individuals who:

  • Engage in testing of systems/research without harming Carestream or its customers.
  • Perform tests on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.
  • Engage in vulnerability testing within the scope of our vulnerability disclosure program in accordance with the terms and conditions of any agreements entered into between Carestream and individuals.
  • Adhere to the laws of their location and the jurisdictions in which Carestream operates. For example, violating laws that would only result in a non-criminal claim by Carestream may be acceptable, as Carestream is authorizing the activity (reverse engineering or circumventing protective measures) to improve its systems.
  • Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.

Procedure to Submit a Vulnerability

  • To submit a vulnerability report to Carestream’s Product Security Team, please submit this form with a brief description of your discovery. Carestream will send a timely response to your submission (typically within five business days).
  • Independent cybersecurity researchers who discover and submit a vulnerability report to us may choose to receive credit after the submission has been accepted and validated by our product security team.

Preference, Prioritization and Acceptance Criteria

Carestream will use the following criteria to prioritize and triage submissions.

What we would like to see from you:

  • Well-written reports in English will have a higher chance of resolution.
  • Reports that include proof‐of‐concept code equip us to better triage issues.
  • Reports that include only crash dumps or other automated tool output may receive lower priority.
  • Please include how you discovered the vulnerability, the impact and any potential remediation.
  • Please include any plans or intentions for public disclosure.

What you can expect from us:

  • A timely response to your email (typically within five business days)
  • After triage, we will send an expedited projected timeline and commit to being as transparent as possible about the remediation timeline, as well as on issues or challenges that may extend it.
  • An open dialog to discuss issues.
  • Notification when the vulnerability analysis has completed each stage of our review.
  • Credit after the vulnerability has been validated and fixed.

If we are unable to resolve communication issues or other problems, we may bring in a neutral third party (such as CERT/CC, ICS-CERT, or the relevant regulator) to assist in determining how best to handle the vulnerability.

This webpage was reviewed and/or updated on 1/18/2019.